Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-13242

Summary
Assigner-drupal
Assigner Org ID-2c85b837-eb8b-40ed-9d74-228c62987387
Published At-09 Jan, 2025 | 18:49
Updated At-10 Jan, 2025 | 17:12
Rejected At-
Credits

Swift Mailer - Moderately critical - Access bypass - SA-CONTRIB-2024-006

Exposed Dangerous Method or Function vulnerability in Drupal Swift Mailer allows Resource Location Spoofing.This issue affects Swift Mailer: *.*.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:drupal
Assigner Org ID:2c85b837-eb8b-40ed-9d74-228c62987387
Published At:09 Jan, 2025 | 18:49
Updated At:10 Jan, 2025 | 17:12
Rejected At:
▼CVE Numbering Authority (CNA)
Swift Mailer - Moderately critical - Access bypass - SA-CONTRIB-2024-006

Exposed Dangerous Method or Function vulnerability in Drupal Swift Mailer allows Resource Location Spoofing.This issue affects Swift Mailer: *.*.

Affected Products
Vendor
The Drupal AssociationDrupal
Product
Swift Mailer (abandoned)
Collection URL
https://www.drupal.org/project/swiftmailer
Repo
https://git.drupalcode.org/project/swiftmailer
Default Status
unaffected
Versions
Affected
  • *.* (semver)
Problem Types
TypeCWE IDDescription
CWECWE-749CWE-749 Exposed Dangerous Method or Function
Type: CWE
CWE ID: CWE-749
Description: CWE-749 Exposed Dangerous Method or Function
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-154CAPEC-154 Resource Location Spoofing
CAPEC ID: CAPEC-154
Description: CAPEC-154 Resource Location Spoofing
Solutions
Configurations
Workarounds
Exploits
Credits
finder
Adam Shepherd
remediation developer
Adam Shepherd
remediation developer
Wayne Eaker
coordinator
Damien McKenna
coordinator
Greg Knaddison
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.drupal.org/sa-contrib-2024-006
N/A
Hyperlink: https://www.drupal.org/sa-contrib-2024-006
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
3.19.1CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Version: 3.1
Base score: 9.1
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:mlhess@drupal.org
Published At:09 Jan, 2025 | 19:15
Updated At:04 Jun, 2025 | 16:49

Exposed Dangerous Method or Function vulnerability in Drupal Swift Mailer allows Resource Location Spoofing.This issue affects Swift Mailer: *.*.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.19.1CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Type: Secondary
Version: 3.1
Base score: 9.1
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CPE Matches
swift_mailer_project
swift_mailer_project
>>swift_mailer>>*
cpe:2.3:a:swift_mailer_project:swift_mailer:*:*:*:*:*:drupal:*:*
Weaknesses
CWE IDTypeSource
CWE-749Secondarymlhess@drupal.org
NVD-CWE-OtherPrimarynvd@nist.gov
CWE ID: CWE-749
Type: Secondary
Source: mlhess@drupal.org
CWE ID: NVD-CWE-Other
Type: Primary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://www.drupal.org/sa-contrib-2024-006mlhess@drupal.org
Vendor Advisory
Hyperlink: https://www.drupal.org/sa-contrib-2024-006
Source: mlhess@drupal.org
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

9Records found
CVE-2024-13281
Matching Score-8
Assigner-Drupal.org
ShareView Details
Matching Score-8
Assigner-Drupal.org
CVSS Score-9.1||CRITICAL
EPSS-0.17% / 38.45%
||
7 Day CHG+0.03%
Published-09 Jan, 2025 | 19:35
Updated-02 Sep, 2025 | 18:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Monster Menus - Moderately critical - Access bypass, Information Disclosure - SA-CONTRIB-2024-045

Incorrect Authorization vulnerability in Drupal Monster Menus allows Forceful Browsing.This issue affects Monster Menus: from 0.0.0 before 9.3.2.

Action-Not Available
Vendor-monster_menus_projectThe Drupal Association
Product-monster_menusMonster Menus
CWE ID-CWE-863
Incorrect Authorization
CVE-2024-13277
Matching Score-8
Assigner-Drupal.org
ShareView Details
Matching Score-8
Assigner-Drupal.org
CVSS Score-9.1||CRITICAL
EPSS-0.17% / 38.45%
||
7 Day CHG+0.03%
Published-09 Jan, 2025 | 19:29
Updated-02 Sep, 2025 | 18:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Smart IP Ban - Critical - Access bypass - SA-CONTRIB-2024-041

Incorrect Authorization vulnerability in Drupal Smart IP Ban allows Forceful Browsing.This issue affects Smart IP Ban: from 7.X-1.0 before 7.X-1.1.

Action-Not Available
Vendor-smart_ip_ban_projectThe Drupal Association
Product-smart_ip_banSmart IP Ban
CWE ID-CWE-863
Incorrect Authorization
CVE-2024-13278
Matching Score-8
Assigner-Drupal.org
ShareView Details
Matching Score-8
Assigner-Drupal.org
CVSS Score-9.1||CRITICAL
EPSS-0.17% / 38.45%
||
7 Day CHG+0.03%
Published-09 Jan, 2025 | 19:31
Updated-02 Sep, 2025 | 18:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Diff - Moderately critical - Access bypass, Information Disclosure - SA-CONTRIB-2024-042

Incorrect Authorization vulnerability in Drupal Diff allows Functionality Misuse.This issue affects Diff: from 0.0.0 before 1.8.0.

Action-Not Available
Vendor-diff_projectThe Drupal Association
Product-diffDiff
CWE ID-CWE-863
Incorrect Authorization
CVE-2024-13241
Matching Score-8
Assigner-Drupal.org
ShareView Details
Matching Score-8
Assigner-Drupal.org
CVSS Score-9.1||CRITICAL
EPSS-0.38% / 58.72%
||
7 Day CHG+0.23%
Published-09 Jan, 2025 | 18:47
Updated-04 Jun, 2025 | 16:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Open Social - Moderately critical - Information Disclosure - SA-CONTRIB-2024-005

Improper Authorization vulnerability in Drupal Open Social allows Collect Data from Common Resource Locations.This issue affects Open Social: from 0.0.0 before 12.0.5.

Action-Not Available
Vendor-getopensocialThe Drupal Association
Product-open_socialOpen Social
CWE ID-CWE-285
Improper Authorization
CVE-2023-50424
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-9.1||CRITICAL
EPSS-0.46% / 63.47%
||
7 Day CHG~0.00%
Published-12 Dec, 2023 | 01:59
Updated-28 Sep, 2024 | 23:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Escalation of Privileges in SAP BTP Security Services Integration Library ([Golang] github.com/sap/cloud-security-client-go)

SAP BTP Security Services Integration Library ([Golang] github.com/sap/cloud-security-client-go) - versions < 0.17.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application.

Action-Not Available
Vendor-SAP SE
Product-cloud-security-client-gogithub.com/sap/cloud-security-client-go
CWE ID-CWE-749
Exposed Dangerous Method or Function
CVE-2023-50422
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-9.1||CRITICAL
EPSS-0.54% / 67.05%
||
7 Day CHG~0.00%
Published-12 Dec, 2023 | 01:31
Updated-28 Sep, 2024 | 23:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Escalation of Privileges in SAP BTP Security Services Integration Library ([Java] cloud-security-services-integration-library)

SAP BTP Security Services Integration Library ([Java] cloud-security-services-integration-library) - versions below 2.17.0 and versions from 3.0.0 to before 3.3.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application.

Action-Not Available
Vendor-SAP SE
Product-cloud-security-services-integration-librarycloud-security-services-integration-library
CWE ID-CWE-749
Exposed Dangerous Method or Function
CVE-2023-49583
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-9.1||CRITICAL
EPSS-0.35% / 56.94%
||
7 Day CHG~0.00%
Published-12 Dec, 2023 | 01:22
Updated-28 Sep, 2024 | 23:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Escalation of Privileges in SAP BTP Security Services Integration Library ([Node.js] @sap/xssec)

SAP BTP Security Services Integration Library ([Node.js] @sap/xssec - versions < 3.6.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application.

Action-Not Available
Vendor-SAP SE
Product-\@sap\/xssec@sap/xssec
CWE ID-CWE-749
Exposed Dangerous Method or Function
CVE-2023-50423
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-9.1||CRITICAL
EPSS-0.46% / 63.47%
||
7 Day CHG~0.00%
Published-12 Dec, 2023 | 01:52
Updated-28 Sep, 2024 | 23:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Escalation of Privileges in SAP BTP Security Services Integration Library ([Python] cloud-pysec)

SAP BTP Security Services Integration Library ([Python] sap-xssec) - versions < 4.1.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application.

Action-Not Available
Vendor-SAP SE
Product-sap-xssecsap-xssec
CWE ID-CWE-749
Exposed Dangerous Method or Function
CVE-2014-5415
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-9.1||CRITICAL
EPSS-4.19% / 88.47%
||
7 Day CHG~0.00%
Published-05 Oct, 2016 | 10:00
Updated-05 Nov, 2025 | 00:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Beckhoff Embedded PC Images and TwinCAT Components Exposed Dangerous Method or Function

Beckhoff Embedded PC images before 2014-10-22 and Automation Device Specification (ADS) TwinCAT components might allow remote attackers to obtain access via the (1) Windows CE Remote Configuration Tool, (2) CE Remote Display service, or (3) TELNET service.

Action-Not Available
Vendor-Beckhoff Automation GmbH & Co. KG
Product-embedded_pc_imagestwincatTwinCAT Components featuring Automation Device Specification (ADS) communicationEmbedded PC Images
CWE ID-CWE-749
Exposed Dangerous Method or Function
Details not found